With the upcoming changes to the safeguarding regime for payments and e-money firms, as outlined in their dedicated Payments Safeguarding Policy Statement (PS25/12), the FCA held a session to provide guidance on the final rules and explain what firms need before the changes take effect.
The FCA held a webinar last week to address upcoming changes to the safeguarding regime for payments and e-money firms, which the regulator set out in their Payments Safeguarding Policy Statement. The webinar aimed to support payments and e-money firms in navigating the final rules and guidance for the supplementary regime, as well as the implications it will have on firms when it comes into force on 7 May 2026.
Payment and e-money firms will fall within the scope of the upcoming supplementary safeguarding regime designed by the FCA to help firms address weaknesses in current safeguarding practices. Firms will need to consider and comply with the following priority areas:
- CASS 15: Safeguarding standards for payment services firms and e-money institutions will now align more closely with existing CASS standards applied to investment firms. The FCA highlighted that CASS 15 sets out a clear definition of the safeguarding obligation and expected treatment of relevant funds. It also includes organisational requirements for safeguarding, rules and guidance on insurance and comparable guarantees, and the expectations behind the selection and appointment of third parties.
- Resolution Packs: Firms must maintain a resolution pack, collating all necessary information for the timely return of funds in the event of a firm’s insolvency or resolution. Resolution packs will need to be maintained to assist key external stakeholders, for example, insolvency practitioners, so they have access to key documents immediately and achieve a timely return of relevant funds.
- Annual Safeguarding Audits: Firms will be required to arrange annual audits of their safeguarding compliance. These need to be conducted by a qualified external ‘statutory’ auditor. This audit must state whether the firm has maintained systems that comply with the ‘relevant funds’ regime, both throughout and at the end of the audit period.
- Reporting Safeguarding Returns: Firms will be required to submit a new monthly regulatory return through the RegData platform, within 15 business days of the end of each month.
- Next Steps: The FCA also set the timeline for their expectation on how firms align with the supplementary regime when it comes into force on 7 May 2026:
- July 2026: First safeguarding regulatory returns are due.
- 13 May 2027: The latest date in which the first audit period can end (for firms subject to the audit requirements when the rules come into force). Firms will have the right to choose their audit date.
- 13 November 2027: The latest date when the first statutory audits are due to be submitted to the FCA. However, the determination of the audit period should be aligned with the firm’s own accounting dates, audit cycle and business requirements, so the regulator will expect to see audits received earlier than this date.
What are the priorities for the upcoming rule changes?
- Undertake a Readiness and Impact Assessment for Safeguarding Audits and Exemptions: Firms should begin to develop and enhance procedures and controls to ensure they are prepared to undertake statutory safeguarding audits. Implementing robust policies, procedures and controls early can ensure firms are proactively managing compliance to avoid non-compliance. Undertaking a readiness and impact assessment will assist firms in preparing to comply with requirements, particularly if any remedial work is required.
- It should be noted that firms safeguarding up to £100,000 (at any time over a period of at least 53 weeks) are exempt from requiring an auditor to perform a safeguarding audit under SUP 3A. However, the firm’s senior management must, on an ongoing basis, determine if the firm meets this exemption.
- Record Keeping: The FCA reiterated the continuous importance of record keeping that has already been set out in Chapter 10 of the FCA’s Approach document. Firms must ensure they have robust record retention management policies and procedures in place to ensure records and accounts are available at any time without delay. This includes the ability to distinguish between relevant funds and other funds (as well as to determine the total amount of relevant funds they should be holding for each client).
- Reconciliation: Under the new rules, firms will be required to carry out internal and external reconciliation no less than once each reconciliation day (i.e. all days excluding weekends, bank holidays or days when relevant foreign markets are not open). In addition to this, the FCA have introduced rules allowing a non-standard method of internal reconciliation. This is subject to the conditions that prior to establishing a non-standard method, firms must first document how the proposed method will ensure safeguarding compliance, with the methodology needing to be reviewed by a qualified independent auditor.
- Safeguarding Returns: The FCA intends to hold a demo of the new regulatory return for reporting on safeguarding in early 2026. Prior to the rules coming into force, firms will be able to download the return as a PDF. Firms will also have the opportunity to test their return in the FCA’s Industry Test Environment in due course.
How Thistle Initiatives Can Help
Thistle’s Payments Services Team has been supporting firms with regulatory approvals and compliance for over a decade and has undertaken numerous safeguarding audits with payment firms. With less than 6 months remaining until the final rules come into force, our team offer regulatory compliance support tailored to your firm’s needs to align with the upcoming FCA expectations:
Contact us for:
- Regulatory readiness and impact assessments (health checks) to support your firm in complying with the upcoming regulatory changes to safeguarding obligations.
- An initial (non-statutory) safeguarding audit prior to your firm's first statutory audit due by 13 November 2027. This will ensure your firm can remediate any material deficiencies in your current safeguarding arrangements prior to the ‘go-live’ whilst mitigating any material or severe risks or issues in advance of the statutory safeguarding audit regime, decreasing the likelihood of regulatory scrutiny and potential enforcement action.
- Whilst not subject to statutory audit requirements, firms that remain below the £100,000 threshold are still required to have adequate arrangements in place and minimise risk. For such firms, Thistle can remain a vital support in navigating safeguarding compliance with the new requirements. This would be especially important for firms that anticipate growth that may result in them later exceeding the threshold limit.
If you would like to discuss how we can support you during this implementation period and beyond, please get in touch with Rohan Chakraborty (rohan.chakraborty@thistleinitiatives.co.uk), William Lee (william.lee@thistleinitiatives.co.uk) or call the Thistle team on 020 7436 0630.
Meet the Experts
Rohan Chakraborty, Senior Consultant 
Leveraging his experience as a risk advisory consultant providing regulatory and legal support for banks, PSPs and EMIs, Rohan joined Thistle Initiatives in 2023 as part of its Payment Services team.
He is excited to work alongside a talented team of payment experts to continue guiding clients in meeting their regulatory obligations.
William Lee, Manager
William has joined our Payment Services team as a Manager, bringing experience from Revolut’s Regulatory Affairs team and his previous role as a Policy Advisor at UK Finance. He has worked extensively on financial policy relating to digital assets and payments, leading industry working groups and regulatory engagement.